Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
The REST API has the following endpoint:
GET /policies/{action}/{resource}
The resource path parameter can contain forward slash characters. When using URI Templates, client HTTP frameworks, or swagger codegen clients, by default will url encode forward slashes '/' in path parameters (ie, %2F). However, the server rejects encoded slash characters for path parameters with the following error message:
ValueError: The request was rejected because the URL contained a potentially malicious String "%25"
This is due to the Spring Security StrictHttpFirewall which is enabled by default.
One possible solution would be providing our own HttpFirewall bean that subclasses StrictHttpFirewall to allow encoded slashes if the HTTP method is GET and the URL path starts with /policies/read/* or /policies/write/*. Then, in the controller code for this endpoint, we could decode the resource parameter safely.
Note: The code for this endpoint is in AccessPolicyResource.
Another possible solution would be adding an alternate endpoint that uses query parameters instead of path parameters.
This is currently a low priority ticket, because most HTTP client frameworks offer an option to not encode slashes in path parameters, even if the default behavior is to encode slashes in path parameters. RFC 6570 refers to this behavior as "Path Segment Expansion" to differentiate it from Path Parameter substitution.